Which Comes First? Policy or Technology

Policy before technology, or deploy technology first before enforcing a new policy? That's an age old business conundrum, and even after all this time, I don't believe anyone has a real handle on it. Why? Because "it depends."

Companies put technology policies in place for a reason, but generally you'll find that a policy, without the proper technology to back it up, doesn't have much credibility. However, the "it depends" scenario has a lot to do with corporate management, the company's employees, and the abilities of the IT staff.

IT is generally in charge of identifying where new technology policies are required, then they have to sell it to corporate management, and if approved, corporate management has to communicate the mandate to the company's employees. But, then, the company's employees have to accept it. No matter how strong and important the policy, whether it's been created to address technical limitations or potential legal consequences, the end-user still has to decide to follow it. And, this is the real struggle.

Working in IT, a lot of you find that end-users will ignore technology policies, seemingly deciding that it doesn't apply to them for some reason, or that they have a special enough case to disregard it without notification. Policy says you don't install a specific application on company-owned computers, or that certain web sites are off limits, or you don't store corporate data in a consumer Cloud service, but you find those rules ignored in a lot of cases.

It's only after you implement technology to monitor, manage, and enforce the policies when you uncover those employees that believe they are above company defined technology policies.

I remember working in IT, with policy plainly stated by management, yet the rules were broken quite often. Walking around the office, I'd regularly find prohibited applications running on laptops that had been vacated while the employees were away for lunch. After we implemented technology to enforce the policy it went something like this…

Employee: "Hey, there's something wrong with my PC. Come here and I'll show you the problem."

Me (grudgingly forfeiting my own important task to walk to the end-user's desk): "What's the problem?"

Employee: "This app was working yesterday, but today it just won't start up. I've already tried reinstalling it. Same result."

Me: "That application is against company policy because corporate found that it causes problems with the applications you need to do your job. You shouldn't have it installed. We have installed technology to prohibit it from running. The email went out to everyone 2 weeks ago."

Employee: "But, I need it. I use it to keep track of my son's baseball stats."

In hindsight, if we had developed the policy along with building the technology to enforce it, and then rolled them out together, situations like this would have been avoided. This was only one example, but there were many.

These days, there's just too many options available to the end-user, particularly when BYOD and Consumerization are becoming so popular. Allowing employees to use their own devices for work also means that they will have more opportunity to choose the Cloud services for doing things like storing files. Policy would say you don't store corporate files in an unapproved location, however, each device (iOS, Android, Windows) makes it so easy to use their individually branded file storage services.

The more unfortunate thing is that technology is not quite there yet to aid in securing a solid policy. So, while policy may say one thing, the proper technology is not available (or may be too costly) to enforce it. Too many companies are just impatient to wait for technology to catch up, and could result in more than just the employee getting upset. It could result in lost or stolen corporate data, or even litigation.

So, I'm curious. What steps does your company take? Do you communicate policy first, or build the technology to back it up and then roll them out together?